PERFORCE change 218793 for review
Robert Watson
rwatson at FreeBSD.org
Mon Oct 22 06:35:36 UTC 2012
http://p4web.freebsd.org/@@218793?ac=10
Change 218793 by rwatson at rwatson_svr_ctsrd_mipsbuild on 2012/10/20 10:00:09
First of several changes to update the CheriBSD headers for CHERI
ISAv2; in this pass, header files are (generally) updated based on
definition changes, excluding instruction changes:
- Revision (I think) to split a first 64-bit field into two 32-bit
fields for the permissions and reserved bits, so swap in code.
Not 100% sure this is right, endianness is confusing.
- C26 has been returned to the pool of general-purpose registers, so
include it in saved frame state for user threads. On the other
hand, we're no longer saving TSC, so remove saving of C28.
- Expand comments on C25 use, and how we plan to return it to the
register pool once life is better.
- A few other useful comments on cp2_frame.
- Remove old permission definitions; define new ones.
- Comment that we now likely no longer require the unpriv
capability, since we can clear capability registers, but leave it
for now, until the code is updated.
- Update definitions further for the reserved register juggle.
- There is a possible bug in the CHERI ISAv2 spec, so don't quite
use the exception codes listed (KDC is probably not the same
exception code as EPCC).
Affected files ...
.. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#6 edit
.. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheriasm.h#6 edit
.. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cherireg.h#5 edit
Differences ...
==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#6 (text+ko) ====
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2011 Robert N. M. Watson
+ * Copyright (c) 2011-2012 Robert N. M. Watson
* All rights reserved.
*
* This software was developed by SRI International and the University of
@@ -42,8 +42,8 @@
*/
#define CAPABILITY_SIZE 32
struct chericap {
+ uint32_t c_reserved;
uint32_t c_uperms;
- uint32_t c_reserved;
union {
uint64_t c_otype;
uint64_t c_eaddr;
@@ -68,25 +68,30 @@
struct chericap cf_c0;
/*
- * General-purpose capabilities -- note, numbering is from v1.3 of
- * the CHERI ISA spec. v1.4 is expected to renumber the specific
- * purpose capabilities to be at the bottom, rather than the top, of
- * the capability register space (per Ross Anderson's suggestion).
+ * General-purpose capabilities -- note, numbering is from v1.7 of the
+ * CHERI ISA spec (ISAv2).
+ *
+ * XXXRW: Currently, C25 is used in-kernel to maintain a saved UDC
+ * (C0), and so not part of cp2_frame. This will change in the
+ * future.
*/
struct chericap cf_c1, cf_c2, cf_c3, cf_c4;
struct chericap cf_c5, cf_c6, cf_c7;
struct chericap cf_c8, cf_c9, cf_c10, cf_c11, cf_c12;
struct chericap cf_c13, cf_c14, cf_c15, cf_c16, cf_c17;
struct chericap cf_c18, cf_c19, cf_c20, cf_c21, cf_c22;
- struct chericap cf_c23, cf_c24;
+ struct chericap cf_c23, cf_c24, cf_c26;
/*
* Special-purpose capability registers that must be preserved on a
- * user context switch. Note that KT0, KT1, KCC, and KDC are omitted.
+ * user context switch. Note that KRC0, KRC1, KCC, and KDC are
+ * omitted.
*/
- struct chericap cf_tsc;
+ /* XXXRW: Gone in v1.7: struct chericap cf_tsc; */
- /* Program counter capability. */
+ /*
+ * Program counter capability -- extracted from exception frame EPCC.
+ */
struct chericap cf_pcc;
};
CTASSERT(sizeof(struct cp2_frame) == (27 * CAPABILITY_SIZE));
==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheriasm.h#6 (text+ko) ====
@@ -49,7 +49,7 @@
andi reg, reg, SR_KSU_USER; \
beq reg, $0, 64f; \
nop; \
- cmove $c25, $c0; \
+ cmove $c27, $c0; \
cmove $c0, $c30; \
64:
@@ -103,6 +103,8 @@
* XXXRW: It woudld be nice to make calls to these conditional on actual CP2
* coprocessor use, similar to on-demand context management for other MIPS
* coprocessors (e.g., FP).
+ *
+ * XXXRW: Note hard-coding of UDC here.
*/
#define SAVE_CP2_CONTEXT(treg, base) \
SAVE_U_PCB_CP2REG(treg, $c25, CHERI_CR_C0_OFF, base); \
@@ -130,7 +132,7 @@
SAVE_U_PCB_CP2REG(treg, $c22, CHERI_CR_C22_OFF, base); \
SAVE_U_PCB_CP2REG(treg, $c23, CHERI_CR_C23_OFF, base); \
SAVE_U_PCB_CP2REG(treg, $c24, CHERI_CR_C24_OFF, base); \
- SAVE_U_PCB_CP2REG(treg, $c28, CHERI_CR_TSC_OFF, base); \
+ SAVE_U_PCB_CP2REG(treg, $c26, CHERI_CR_C26_OFF, base); \
SAVE_U_PCB_CP2REG(treg, $c31, CHERI_CR_PCC_OFF, base)
#define RESTORE_CP2_CONTEXT(treg, base) \
@@ -159,7 +161,7 @@
RESTORE_U_PCB_CP2REG(treg, $c22, CHERI_CR_C22_OFF, base); \
RESTORE_U_PCB_CP2REG(treg, $c23, CHERI_CR_C23_OFF, base); \
RESTORE_U_PCB_CP2REG(treg, $c24, CHERI_CR_C24_OFF, base); \
- RESTORE_U_PCB_CP2REG(treg, $c28, CHERI_CR_TSC_OFF, base); \
+ RESTORE_U_PCB_CP2REG(treg, $c26, CHERI_CR_C26_OFF, base); \
RESTORE_U_PCB_CP2REG(treg, $c31, CHERI_CR_PCC_OFF, base)
#endif /* _MIPS_INCLUDE_CHERIASM_H_ */
==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cherireg.h#5 (text+ko) ====
@@ -39,43 +39,39 @@
* but perhaps it should be.
*/
#define CHERI_PERM_NON_EPHEMERAL 0x0001
-#define CHERI_PERM_ACCESS_CR31 0x0002
-#define CHERI_PERM_ACCESS_CR30 0x0004
-#define CHERI_PERM_ACCESS_CR29 0x0008
-#define CHERI_PERM_ACCESS_CR28 0x0010
-#define CHERI_PERM_RESERVED1 0x0020
-#define CHERI_PERM_RESERVED2 0x0040
-#define CHERI_PERM_RESERVED3 0x0080
-#define CHERI_PERM_SEAL 0x0100
-#define CHERI_PERM_STORE_EPHEMERAL_CAPABILITY 0x0200
-#define CHERI_PERM_LOAD 0x0400
-#define CHERI_PERM_STORE 0x0800
-#define CHERI_PERM_LOAD_CAP 0x1000
-#define CHERI_PERM_STORE_CAP 0x2000
-#define CHEIR_PERM_EXECUTE 0x4000
+#define CHEIR_PERM_EXECUTE 0x0002
+#define CHERI_PERM_LOAD 0x0004
+#define CHERI_PERM_STORE 0x0008
+#define CHERI_PERM_LOAD_CAP 0x0010
+#define CHERI_PERM_STORE_CAP 0x0020
+#define CHERI_PERM_STORE_EPHEM_CAP 0x0040
+#define CHERI_PERM_SEAL 0x0080
+#define CHERI_PERM_SETTYPE 0x0100
+#define CHERI_PERM_RESERVED1 0x0200
+#define CHERI_PERM_ACCESS_EPCC 0x0400
+#define CHERI_PERM_ACCESS_KDC 0x0800
+#define CHERI_PERM_ACCESS_KCC 0x1000
+#define CHERI_PERM_ACCESS_KR1C 0x2000
+#define CHERI_PERM_ACCESS_KR2C 0x4000
-/*
- * XXXRW: Should this include CHERI_UNSEALED?
- */
#define CHERI_PERM_PRIV \
- (CHERI_PERM_NON_EPHEMERAL | CHERI_PERM_ACCESS_CR31 | \
- CHERI_PERM_ACCESS_CR30 | CHERI_PERM_ACCESS_CR29 | \
- CHERI_PERM_ACCESS_CR28 | CHERI_PERM_SEAL | \
- CHERI_PERM_STORE_EPHEMERAL_CAPABILITY | CHERI_PERM_LOAD | \
- CHERI_PERM_STORE | CHERI_PERM_LOAD_CAP | CHERI_PERM_STORE_CAP | \
- CHEIR_PERM_EXECUTE)
+ (CHERI_PERM_NON_EPHEMERAL | CHERI_PERM_EXECUTE | \
+ CHERI_PERM_LOAD | CHERI_PERM_STORE | CHERI_PERM_LOAD_CAP | \
+ CHERI_PERM_STORE_CAP | CHERI_PERM_STORE_EPHEM_CAP | \
+ CHERI_PERM_SEAL | CHERI_PERM_SETTYPE | CHERI_PERM_RESERVED1 | \
+ CHERI_PERM_ACCESS_EPCC | CHERI_PERM_ACCESS_KDC | \
+ CHERI_PERM_ACCESS_KCC | CHERI_PERM_ACCESS_KR1C | \
+ CHERI_PERM_ACCESS_KR2C)
#define CHERI_PERM_USER \
- (CHERI_PERM_NON_EPHEMERAL | CHERI_PERM_SEAL | \
- CHERI_PERM_STORE_EPHEMERAL_CAPABILITY | CHERI_PERM_LOAD | \
- CHERI_PERM_STORE | CHERI_PERM_LOAD_CAP | CHERI_PERM_STORE_CAP | \
- CHEIR_PERM_EXECUTE)
+ (CHERI_PERM_NON_EPHEMERAL | CHERI_PERM_EXECUTE | \
+ CHERI_PERM_LOAD | CHERI_PERM_STORE | CHERI_PERM_LOAD_CAP | \
+ CHERI_PERM_STORE_CAP | CHERI_PERM_STORE_EPHEM_CAP | \
+ CHERI_PERM_SEAL | CHERI_PERM_SETTYPE)
/*
* Definition for kernel "privileged" capability able to name the entire
* address space.
- *
- * XXXRW: Perhaps CHERI_UCAP_UNPRIV_LENGTH should actually just cover useg.
*/
#define CHERI_CAP_PRIV_UPERMS CHERI_PERM_PRIV
#define CHERI_CAP_PRIV_OTYPE 0x0
@@ -94,6 +90,9 @@
/*
* Definition for capability unable to name any resources. This is suitable
* for filling capability registers that should hold no privilege.
+ *
+ * XXXRW: Probably no longer required in CHERI ISAv2 as we can clear
+ * registers.
*/
#define CHERI_CAP_NOPRIV_UPERMS 0x0
#define CHERI_CAP_NOPRIV_OTYPE 0x0
@@ -129,19 +128,32 @@
#define CHERI_CR_C22 22
#define CHERI_CR_C23 23
#define CHERI_CR_C24 24
-#define CHERI_CR_UDC 25 /* UDC: user data capability (saved C0). */
-#define CHERI_CR_KT0 26 /* KT0: temporary kernel capability. */
-#define CHERI_CR_KT1 27 /* KT1: temporary kernel capability. */
-#define CHERI_CR_TSC 28 /* TSC: trusted stack capability. */
-#define CHERI_CR_KCC 29 /* KCC: kernel code capability. */
-#define CHERI_CR_KDC 30 /* KDC: kernel data capability. */
-#define CHERI_CR_EPCC 31 /* EPCC: exception program counter cap. */
+#define CHERI_CR_C25 25
+#define CHERI_CR_C26 26
+#define CHERI_CR_C27 27
+#define CHERI_CR_C28 28
+#define CHERI_CR_C29 29
+#define CHERI_CR_C30 30
+#define CHERI_CR_C31 31
-#define CHERI_CR_CT0 CHERI_CR_C10 /* CT0: temporary capability. */
+/*
+ * XXXRW: Note that UDC is used by the kernel to hold the saved user data
+ * capability during kernel execution. In the future, this will change --
+ * instead we will swap with KR2C, and save it to a frame to be used as needed
+ * later. In the mean time, userspace agrees not to use C25.
+ */
+#define CHERI_CR_RCC CHERI_CR_C24 /* Return code capability. */
+#define CHERI_CR_UDC CHERI_CR_C25 /* User data capability. */
+#define CHERI_CR_IDC CHERI_CR_C26 /* Invoked data capability.*/
+#define CHERI_CR_KR1C CHERI_CR_C27 /* Kernel reserved capability 1. */
+#define CHERI_CR_KR2C CHERI_CR_C28 /* Kernel reserved capability 2. */
+#define CHERI_CR_KCC CHERI_CR_C29 /* Kernel code capability. */
+#define CHERI_CR_KDC CHERI_CR_C30 /* Kernel data capability. */
+#define CHERI_CR_EPCC CHERI_CR_C31 /* Exception program counter cap. */
/*
* Offsets of registers in struct cp2_frame -- must match the definition in
- * cp2.h. Observe the discontinuity after $udc.
+ * cheri.h.
*/
#define CHERI_CR_C0_OFF 0
#define CHERI_CR_C1_OFF 1
@@ -168,7 +180,41 @@
#define CHERI_CR_C22_OFF 22
#define CHERI_CR_C23_OFF 23
#define CHERI_CR_C24_OFF 24
-#define CHERI_CR_TSC_OFF 25
+#define CHERI_CR_C26_OFF 25
#define CHERI_CR_PCC_OFF 26
+/*
+ * List of CHERI capability cause code constants, which are used to
+ * disambiguate various CP2 exceptions.
+ *
+ * XXXRW: I wonder if we really need different permissions for each exception-
+ * handling capability.
+ *
+ * XXXRW: Curiously non-contiguous.
+ *
+ * XXXRW: KDC is listed as 0x1a in the spec, which collides with EPCC. Not
+ * sure what is actually used.
+ */
+#define CHERI_EXCCODE_NONE 0x00
+#define CHERI_EXCCODE_LENGTH 0x01
+#define CHERI_EXCCODE_TAG 0x02
+#define CHERI_EXCCODE_SEAL 0x03
+#define CHERI_EXCCODE_TYPE 0x04
+#define CHERI_EXCCODE_CALL 0x05
+#define CHERI_EXCCODE_RETURN 0x06
+#define CHERI_EXCCODE_NON_EPHEM 0x10
+#define CHERI_EXCCODE_PERM_EXEXCUTE 0x11
+#define CHERI_EXCCODE_PERM_LOAD 0x12
+#define CHERI_EXCCODE_PERM_STORE 0x13
+#define CHERI_EXCCODE_PERM_LOADCAP 0x14
+#define CHERI_EXCCODE_PERM_STORECAP 0x15
+#define CHERI_EXCCODE_STORE_EPHEM 0x16
+#define CHERI_EXCCODE_PERM_SEAL 0x17
+#define CHERI_EXCCODE_PERM_SETTYPE 0x18
+#define CHERI_EXCCODE_ACCESS_EPCC 0x1a
+#define CHERI_EXCCODE_ACCESS_KDC 0x1b /* XXXRW */
+#define CHERI_EXCCODE_ACCESS_KCC 0x1c
+#define CHERI_EXCCODE_ACCESS_KR1C 0x1d
+#define CHERI_EXCCODE_ACCESS_KR2C 0x1e
+
#endif /* _MIPS_INCLUDE_CHERIREG_H_ */
More information about the p4-projects
mailing list